Re: [openssl-users] M_ASN1_D2I_* replacement in OpenSSL 1.1.0

2016-09-20 Thread Aleksandr Konstantinov
Hello,

Thanks a lot. One more question if possible. Is there any way to express
single element of the ASN1 sequence which can be any
of ASN1_OCTET_STRING or ASN1_UTF8STRING and potentially other types?
Or maybe there is some tutorial for new interface similar to something like
http://www.umich.edu/~x509/ssleay/asn1-macros.html for old one?

Best regards,


A.K.



On Mon, Sep 19, 2016 at 3:05 PM, Dr. Stephen Henson <st...@openssl.org>
wrote:

> On Mon, Sep 19, 2016, Aleksandr Konstantinov wrote:
>
> >
> > Thanks. Your answer helped a lot and I'm progressing now. Could You
> please
> > also give me a hint what M_ASN1_BIT_STRING_dup/ASN1_BIT_STRING_dup
> could be
> > replaced with?
> >
>
> ASN1_STRING_dup should work fine: ASN1_BIT_STRING is actually typedefed to
> ASN1_STRING.
>
> Steve.
> --
> Dr Stephen N. Henson. OpenSSL project core developer.
> Commercial tech support now available see: http://www.openssl.org
> --
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
>
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users


Re: [openssl-users] M_ASN1_D2I_* replacement in OpenSSL 1.1.0

2016-09-19 Thread Aleksandr Konstantinov
Hello,


Thanks. Your answer helped a lot and I'm progressing now. Could You please
also give me a hint what M_ASN1_BIT_STRING_dup/ASN1_BIT_STRING_dup could be
replaced with?


Best regards,


A.K.


On Fri, Sep 9, 2016 at 2:44 PM, Dr. Stephen Henson <st...@openssl.org>
wrote:

> On Fri, Sep 09, 2016, Aleksandr Konstantinov wrote:
>
> > Hello,
> >
> > Thanks for your answer. Here is one of d2i functions simplified:
> >
> > MYEXT * d2i_MYEXT(MYEXT ** myext, unsigned char ** pp, long length) {
> >   M_ASN1_D2I_vars(myext, MYEXT *, MYEXT_new);
> >   M_ASN1_D2I_Init();
> >   M_ASN1_D2I_start_sequence();
> >   M_ASN1_D2I_get_EXP_opt(ret->intmember, d2i_ASN1_INTEGER, 1);
> >   M_ASN1_D2I_get_opt(ret->intmember, d2i_ASN1_INTEGER, V_ASN1_INTEGER);
> >   M_ASN1_D2I_Finish(myext, MYEXT_free, ASN1_F_D2I_MYEXT);
> > }
> >
> >
>
> Presumably the two fields aren't the same? I'll call one intmember2 for
> this example.
>
> The above would translate to something like:
>
> ASN1_SEQUENCE(MYEXT) = {
> ASN1_EXP_OPT(MYEXT, intmember, ASN1_INTEGER, 1),
> ASN1_OPT(MYEXT, intmember2, ASN1_INTEGER)
> } ASN1_SEQUENCE_END(MYEXT)
>
> IMPLEMENT_ASN1_FUNCTIONS(MYEXT)
>
> Then you include:
>
> DECLARE_ASN1_FUNCTIONS(MYEXT)
>
> in a header file.
>
> That generates four functions MYEXT_new(), MYEXT_free(), d2i_MYEXT() and
> i2d_MYEXT().
>
> Steve.
> --
> Dr Stephen N. Henson. OpenSSL project core developer.
> Commercial tech support now available see: http://www.openssl.org
> --
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
>
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users


Re: [openssl-users] M_ASN1_D2I_* replacement in OpenSSL 1.1.0

2016-09-09 Thread Aleksandr Konstantinov
Hello,

Thanks for your answer. Here is one of d2i functions simplified:

MYEXT * d2i_MYEXT(MYEXT ** myext, unsigned char ** pp, long length) {
  M_ASN1_D2I_vars(myext, MYEXT *, MYEXT_new);
  M_ASN1_D2I_Init();
  M_ASN1_D2I_start_sequence();
  M_ASN1_D2I_get_EXP_opt(ret->intmember, d2i_ASN1_INTEGER, 1);
  M_ASN1_D2I_get_opt(ret->intmember, d2i_ASN1_INTEGER, V_ASN1_INTEGER);
  M_ASN1_D2I_Finish(myext, MYEXT_free, ASN1_F_D2I_MYEXT);
}


Regards,


A.K.



On Thu, Sep 8, 2016 at 10:23 PM, Dr. Stephen Henson <st...@openssl.org>
wrote:

> On Thu, Sep 08, 2016, Aleksandr Konstantinov wrote:
>
> > Hello all,
> >
> > I'm in process of porting our project to OpenSSL 1.1.0. We have part of
> > code which heavily uses M_ASN1_D2I_* and M_ASN1_I2D_* for defining d2i_*
> > and i2d_* methods for new extension. For example code uses
> M_ASN1_D2I_vars,
> > M_ASN1_D2I_Init and M_ASN1_D2I_start_sequence to start reading sequence
> of
> > items and then proceeds with M_ASN1_D2I_get_* for content of the
> > sequence. Could please anybody advise what would be proper replacement
> for
> > those macros in OpenSSL 1.1.0? Is there any new API for such things? Or
> > shall one do raw byte banging?
> >
>
> Those old macros were updated way back in OpenSSL 0.9.7 and finally
> retired in
> OpenSSL 1.1.0.
>
> You need to write an appropriate ASN.1 module to encode and decode your
> structure. There are many examples of this such as in crypto/cms/cms_asn1.c
> and some much simpler ones in crypto/x509v3 which are perhaps better
> suited to
> you needs.
>
> They use macros which start with ASN1_SEQUENCE*
>
> Is it possible to look at your old code? Then I could give some more
> specific
> pointers.
>
> Steve.
> --
> Dr Stephen N. Henson. OpenSSL project core developer.
> Commercial tech support now available see: http://www.openssl.org
> --
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
>
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users


[openssl-users] M_ASN1_D2I_* replacement in OpenSSL 1.1.0

2016-09-08 Thread Aleksandr Konstantinov
Hello all,

I'm in process of porting our project to OpenSSL 1.1.0. We have part of
code which heavily uses M_ASN1_D2I_* and M_ASN1_I2D_* for defining d2i_*
and i2d_* methods for new extension. For example code uses M_ASN1_D2I_vars,
M_ASN1_D2I_Init and M_ASN1_D2I_start_sequence to start reading sequence of
items and then proceeds with M_ASN1_D2I_get_* for content of the
sequence. Could please anybody advise what would be proper replacement for
those macros in OpenSSL 1.1.0? Is there any new API for such things? Or
shall one do raw byte banging?


Best regards,


A.K.
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users


Re: HTTPS connection hangs during SSL handshake

2012-09-12 Thread Aleksandr Konstantinov
On Tuesday 11 September 2012, Supratik Goswami wrote:
 Is there no one in the community who can help me to find the cause of
 the problem ?

Maybe You have firewall issues on office IP macine. Have You tried tcpdump or 
similar utility to check if there is something being sent/received?

Regards,

A.K.


 
 On Tue, Sep 4, 2012 at 7:21 PM, Supratik Goswami
 supratiksek...@gmail.com wrote:
  I am using OpenSSL version : openssl-1.0.0j in our production.
 
  I am facing a strange problem where the SSL connection simply hangs
  during initial handshake when requested from our office IP address.
  When I run the same command from another IP address it works fine.
 
  From office IP (Unsuccessful connection):
 
  [root@gateway ]# openssl s_client -connect test.mydomain.com:443
  CONNECTED(0003)
 
 
  From a different IP (Successful connection):
 
  ubuntu@ip-10-0-0-10 (Development):~$ openssl s_client -connect
  test.mydomain.com:443
  CONNECTED(0003)
  depth=3 /L=ValiCert Validation Network/O=ValiCert, Inc./OU=ValiCert
  Class 2 Policy Validation
  Authority/CN=http://www.valicert.com//emailAddress=i...@valicert.com
  verify error:num=19:self signed certificate in certificate chain
  verify return:0
  ---
  Certificate chain
   0 s:/O=*.mydomain.com/OU=Domain Control Validated/CN=*.mydomain.com
 i:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com,
  Inc./OU=http://certificates.godaddy.com/repository/CN=Go Daddy Secure
  Certification Authority/serialNumber=07969287
   1 s:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com,
  Inc./OU=http://certificates.godaddy.com/repository/CN=Go Daddy Secure
  Certification Authority/serialNumber=07969287
 i:/C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2
  Certification Authority
   2 s:/C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2
  Certification Authority
 i:/L=ValiCert Validation Network/O=ValiCert, Inc./OU=ValiCert Class
  2 Policy Validation
  Authority/CN=http://www.valicert.com//emailAddress=i...@valicert.com
   3 s:/L=ValiCert Validation Network/O=ValiCert, Inc./OU=ValiCert Class
  2 Policy Validation
  Authority/CN=http://www.valicert.com//emailAddress=i...@valicert.com
 i:/L=ValiCert Validation Network/O=ValiCert, Inc./OU=ValiCert Class
  2 Policy Validation
  Authority/CN=http://www.valicert.com//emailAddress=i...@valicert.com
  ---
  Server certificate
  -BEGIN CERTIFICATE-
 
  REMOVED FOR SECURITY REASON
 
  -END CERTIFICATE-
  subject=/O=*.mydomain.com/OU=Domain Control Validated/CN=*.mydomain.com
  issuer=/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com,
  Inc./OU=http://certificates.godaddy.com/repository/CN=Go Daddy Secure
  Certification Authority/serialNumber=07969287
  ---
  No client certificate CA names sent
  ---
  SSL handshake has read 4827 bytes and written 435 bytes
  ---
  New, TLSv1/SSLv3, Cipher is RC4-SHA
  Server public key is 2048 bit
  Secure Renegotiation IS supported
  Compression: NONE
  Expansion: NONE
  SSL-Session:
  Protocol  : TLSv1
  Cipher: RC4-SHA
  Session-ID: 
  276ADBFB75336E7E870C5E109B4C5F6AFB8328C8775029EF135C5DA6F8608533
  Session-ID-ctx:
  Master-Key:
  22B470A67XXXB50ED6237BE9
  Key-Arg   : None
  Start Time: 1346765613
  Timeout   : 300 (sec)
  Verify return code: 19 (self signed certificate in certificate chain
 
 
 
  Any ideas ?
 
 
  --
  Warm Regards
 
  Supratik
 
 
 
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org


Documentation

2003-12-12 Thread Aleksandr Konstantinov


  Hello.

 I'm trying to undesrtand OpenSSL API. But documentation on the web seems to be very
incomplete. Could please anybody suggest me where to look for better documentation 
or easy to understand examples.

Thanks in advance






A.K.
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]


How private key is used ?

2002-10-28 Thread Aleksandr Konstantinov
 Hello.

I'm considering using OpenSSL in my application. So I have read The 
SSL Protocol Version 3.0 at
http://wp.netscape.com/eng/ssl3/draft302.txt . But I still can't 
understand, how during authentication phase
parties are actually authenticated ? I could only find exchange of 
certificates (public keys). But they are
already public.
I know it should be private keys somehow involved into authentication. 
I'm sure I just missed something.
Could anybody help me, please ?


Regards,


A.K.


__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]